Code cleanup

2025-12-24 08:29:07 +00:00 · 2011-02-06 22:32:44 +00:00
parent ecaf5729fd
commit f3d6be7868
3 changed files with 19 additions and 13 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -249,3 +249,6 @@ URI_INJECTION_MARK_CHAR = '*'

 # Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings
 MYSQL_ERROR_TRIM_LENGTH = 100
+
+#
+EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ")
--- a/lib/core/unescaper.py
+++ b/lib/core/unescaper.py
@@ -9,16 +9,20 @@ See the file 'doc/COPYING' for copying permission

 from lib.core.common import Backend
 from lib.core.datatype import advancedDict
+from lib.core.settings import EXCLUDE_UNESCAPE

 class Unescaper(advancedDict):
    def unescape(self, expression, quote=True, dbms=None):
+        if expression is None:
+            return expression
+
+        for exclude in EXCLUDE_UNESCAPE:
+            if exclude in expression:
+                return expression
+
        identifiedDbms = Backend.getIdentifiedDbms()

-        if not expression:
-            return expression
-        elif "WAITFOR DELAY " in expression:
-            return expression
-        elif dbms is not None:
+        if dbms is not None:
            return self[dbms](expression, quote=quote)
        elif identifiedDbms is not None:
            return self[identifiedDbms](expression, quote=quote)